Re: email lacks sender address
On Wed, Apr 27, 2022 at 02:57:19PM -0500, David Wright wrote:
> 4) The MAIL FROM address, which is the one that you're having trouble
> with.
Just to keep everything clear, the MAIL FROM address and the envelope
sender address are the same thing. The colloquial use of "sender" (with
lowercase s, and no colon) in some diagnostic messages may refer to
this address. Or not. Interpreting diagnostic messages is an art, not
a science.
The original purpose of the MAIL FROM address is "where to send bounces".
Back in the old days, before spam became so prevalent, a typical email
followed a path something like this:
1) User composes the email using their MUA.
2) The MUA injects the email into the local queue using /usr/sbin/sendmail
(or /usr/lib/sendmail back then). At this point, the envelope sender
(MAIL FROM) and envelope recipient (RCPT TO) addresses are established,
either by the MUA or by the local MTA.
3) The local MTA attempts delivery of the message to the envelope recipient.
4) The recipient's MTA receives the message and injects it into its own
local queue.
5) The recipient's MTA attempts local delivery of the message. If this
fails, a bounce message is created, and sent back to the sender's
MAIL FROM address, with an empty MAIL FROM. The empty MAIL FROM on
the bounce message prevents infinite bounce loops. The bounce cannot
be bounced again.
Step 4 is where a lot of changes have occurred in recent decades. Back in
the original days of email, the receiving MTA typically did not check
things like "is this address actually deliverable". It would simply
check whether the "@domain" part was "one of mine", or if the message
would have to be relayed. Checks for the validity of the full receipient
address, including the left-hand side, were delayed until local delivery
processes took over.
This worked well enough until spam took over the Internet.
Spammers began sending messages with two targets -- the actual recipient,
and a second recipient listed in the MAIL FROM. If the message was
delivered to the actual recipient, then they got a reader that way. If
the message wasn't delivered to the actual recipient, it might be
bounced back to the MAIL FROM address, and the second recipient would
see it (along with an error message).
Also, if the first recipient happens to be clever enough to read the email
headers, it would appear that the spam was written by the second
recipient, who is also a victim.
This is known as "joe-jobbing".
Modern MTA strategy is to reject the message during the SMTP transaction
if at all possible, and avoid sending bounces -- because the MAIL FROM
is not reliable.
So, the original purpose of the MAIL FROM (destination for bounces) is
mostly obsolete at this point. Instead, people are using MAIL FROM as
an identifier for authentication purposes. It's incredibly weak, and
you can spoof it to anything you like, so it's not really a form of
authentication so much as a "way of preventing simple accidents".
A mail relay (smarthost) might decide that it will only accept your
messages if your MAIL FROM is in a special allowed-list. This is in
addition to whatever other authentication checks the smarthost may perform,
such as checking that the client's IP is in an allowed-list, or SMTP AUTH
which involves using a username and password, or POP-before-SMTP, which
means that it only permits relaying for clients who have accessed the POP3
service on the same machine within the last n minutes.
Isn't email *fun*?
So anyway, configuring your MAIL FROM (envelope sender) address correctly
is really important.
Reply to: